c4-pre-sort
commented
10 months ago 141345 marked the issue as insufficient quality report
Closed c4-bot-6 closed 10 months ago
c4-pre-sort
commented
10 months ago 141345 marked the issue as insufficient quality report
c4-judge
commented
10 months ago 0xean marked the issue as unsatisfactory: Insufficient quality
Lines of code
https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/policies/Admin.sol#L173
Vulnerability details
The setFee function in the Admin contract allows the admin to set the protocol fee numerator. However, there is no explicit check in the code to ensure that the feeNumerator does not exceed a certain maximum value, which is typically necessary to prevent setting fees that are too high.
Impact
Without a check on the feeNumerator, an admin could potentially set an excessively high fee, which could be detrimental to the users of the protocol. It could lead to a loss of trust, a decrease in usage, and an overall negative impact on the protocol's reputation and adoption. In the worst case, if the fee is set to 100% or higher, it could effectively lock users' funds within the escrow module.
Mitigations
Governance Approval: Require that changes to the fee structure be approved through a governance process, such as a DAO vote, to ensure community consensus.
Fee Change Notification: Implement an event that is emitted when the fee is changed, providing transparency and allowing users to be notified of fee adjustments.
Time-Lock Mechanism: Introduce a time-lock delay for fee changes to give users time to react and adjust to the new fee structure before it takes effect.
Assessed type
Invalid Validation